Your Final exam will be available on Saturday morning, December 9th at 6:00 AM and is due by 11:59 PM on Sunday December 10th.. You will have one try at the exam and must answer 75 questions in 90 minutes. Set aside a quiet time to make sure you give yourself every advantage. If you run into any system problems you must call me immediately at 910 880 1254 so that we can work them out. Best of luck on the exam.

I will post your final grades by Friday, December 15th.

Finally, we want to thank all of you for your hard work and interest in the topic. We have been telling everyone in the department just how incredible your discussions have been. You have brought a level of nuance and practicality that we rarely achieve in classroom discussions. Well done!

The final exam will be on Blackboard and will be 75 questions. I will post the exam on Saturday December 9th @ 6:00 AM and give you until Sunday night, at 11:59 PM to complete it. You have 90 minutes to complete the exam.If you have any problems with the software you must contact me immediately at 910 880 1254. I recommend you find a quiet place with good connectivity at which to take the exam.

I liked how you referred back to other topics that we have considered in the past 12 weeks.

Let me take you through our view of them:

IT Administrative Controls – really lax both inside both iPremier and at the ISP. I get the sense that very little is actually in control here. WoW on company equipment and company time? Poorly organized and poorly run.

IT Governance – There appears to be little knowledge or interest in IT from the executive level of the company. How can this be for a company that runs on an e-platform? Inexcusable. Certainly, there is no conscious effort to guide IT as it supports the business. Ad- hoc decision making and a culture of do what’s needed now and we’ll worry about the rest later seems to be a work here.

Enterprise Architecture, IT Strategy, Portfolio Management – There doesn’t seem to be any.

Policy – Again, if they exist, they seem to be on the shelf like the disaster recovery plans. Even the CEO acknowledged that they needed a closer look at how they did things.

IT Services and Quality – Again, there does not appear to be a disciplined look at what IT services they are using/providing. Furthermore, there is no sense of continuous improvement or some of the Disaster Recovery plans problems would have been identified and fixed.

Outsourcing – They picked the ISP because they knew someone? Really?

Monitoring – Doesn’t appear that they did much beyond the basics of operating a system. But then, if you haven’t defined any IT services, how could you monitor them?

Risk – No risk culture in the organization, no risk culture in IT. I’m tempted to say that they looked at Disaster Recovery planning as a compliance issue, not as a control. They were required to have one, so someone wrote it and put it on the shelf for the auditors to see, but they never did anything with it.

All of this leads to a situation where a breach was eminently possible with a poor response guaranteed.

The whole idea of running an IT organization under control is that you have organizational discipline. This doesn’t eliminate the potential problems of a security attack or any other risk. It makes such risks much less likely to occur and it gives you a much better position from which to deal with them if they do occur. This is the point of everything you will be learning in this program.

What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?

Who or what do you think is the most significant risk to any organization?

Security education is spoken of often. Why is it important?

Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?

How much attention do you pay to the security of your device, data, and behaviors?

The iPremier Case

Read the iPremier Case. Consider these questions when you prepare for class (Thu’s section) or Webex (Rich’s section).

How well did the iPremier Company perform during the seventy-five minute attack? If you were Bob Turley, what might you have done differently during the attack?

The iPremier Company CEO, Jack Samuelson, had already expressed to Bob Turley his concern that the company might eventually suffer from a “deficit in operating procedures.” Were the company’s operating procedures deficient in responding to this attack? What additional procedures might have been in place to better handle the attack?

You all seem to have the notion of risk and response down well. The three risk processes are

Risk Governance – setting the appetite and tolerance of risk for the organization. The important point here is that IT risk should be treated like any other enterprise risk and the administration of IT risk governance should be part of the way the enterprise manages all its risk.

Risk Evaluation – What risks are you facing? How likely are they? How much impact will they have if they occur? The expected outcome of a risk is equal to its likelihood X its impact. The IT organization will need to deal with any IT Risk whose expected outcome is greater than the enterprise’s risk tolerance for risks of this sort.

Risk Response – your can address risks in four ways

Accept it – just go with it (which means raising you risk tolerance if the expected outcome is greater than your current risk tolerance.

Transfer it – get insurance so that you alone don’t feel all of the impact of the risk if it comes to be.

Mitigate it – put in controls to lessen the likelihood or impact of the risk. Residual risk is the risk that remains after your mitigation and should be less than your risk tolerance.

Avoid it – change what the organization is doing so as not to face the risk anymore. If you are worried about losing credit card information, don’t take credit cards.

FUD is a major player in all risk discussions and is evidenced in the AWA case. FUD stands for Fear, Uncertainty and Doubt. There are always things that we don’t know or haven’t experienced when thinking about making a change. Its natural. Both AWA and the EHR case we looked at earlier contained compliance risks. Sure, outsourcing changes the nature of compliance risk although the ownership remains the same. We feel comfortable with what we have always done (do everything ourselves) even if we know we don’t do it well. It takes some courage and a lot of due diligence to look as a new arrangement and see that its no worse, maybe even better than what we had before.

This is where controls come in. If you research what could go wrong, talk to others who have already made the move, design and review a set of controls that you think will work and put them in place, then, with audit, you should be able to make it work. In the AWA case, the firms they were looking at are very experienced and professional. Sabre works with over 400 airlines. To me, the risk of doing a good outsourcing deal is minimal as long as AWA pays attention to what its doing. The risk of continuing as is and underfunding IT to the point of ruin is far higher.

What three types of IT risk are there? Can you give an example of each?

In your own words explain what occurs in each of the three processes included in the IT Risk Framework.

How can an organization respond to any IT risk?

The All World Airlines Case

Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.

The Audit Proposal Projects are due on Monday, December 11. The Fall Break is a great time for team’s to complete the project, or at least to get a good start. You will have to submit your team’s Audit Program Proposals (both document and video) as posts and assign a category of week 14.

There were a lot of good ideas about what metrics to include for Stars. A few of you focused too much on metrics that were internal to IT’s operation. This is a common mistake for IT people. The business is more interested in what IT is contributing, not how they do it. The project portfolio is important because it is the overt link to business strategy. If you are funding projects that don’t align your strategy or the business’ goals it should come out here. ROI is very hard to measure but you should try to, even if its by business process metrics, not dollars.

Here are our thoughts:

Business Investments

Listed by key business goal – Business process metrics highlighted for each goal over time, IT projects and total funding related to each goal. Goal is to show improvement on the business process metrics overtime.

IT investments linked to goal, projected ROI, funded or not, goal is to show alignment of dollars

IT Projects currently underway goal is 100% on time, on budget, on scope